MSA-12-0036: Cross-site scripting vulnerability in category identifier

MSA-12-0036: Cross-site scripting vulnerability in category identifier

by Michael de Raadt -
Number of replies: 0
Topic: XSS in /cohort/edit.php (POST parameter: idnumber)
Severity/Risk: Serious
Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+
Reported by: Dan Poltawski
Issue no.: MDL-31691

CVE Identifier:

CVE-2012-2365
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691

Description:

The idnumber field, an arbitrary unique identifier for a category, was able to be entered without being filtered.